----- Original Message -----
From: "Jamie Lokier" <jamie@shareable.org>
> The difference is that HTTP message boundaries (Content-Length etc.)
> and <soap:Envelope> are normally parsed by different software.
>
> Message boundaries are parsed by proxies, and those should not have
> any knowlege of <soap:Envelope> or other non-HTTP message boundary
> terminators. Message boundaries are also often parsed by generic HTTP
> agents, before passing individual messages to specific applications.
I won't argue against the difference (software, agent, proxy or app
implementation), but in TR-69 domain there seems no proxy between server and
client.
By the way, if in generic HTTP domains there is such security hole, either
the application should not be extrally layered with a generic HTTP agent
(library) or RFC should have precisely/clearly mandated at least one of
Content-Length and chunked encoding.
>
>> In any situation, the receiver should be able to recover from error
>> input.
>
> If HTTP message boundaries aren't clear, it opens a whole bunch of
> security holes. Especially, connections from proxies may carry
> messages from multiple unrelated users at the same time.
>
> -- Jamie